ICAI SIA - Notes and Summary

NOTES AND RELEVANT EXTRACT

FROM

STANDARDS ON INTERNAL AUDITIING

ISSUED BY

INSTITUTE OF CHARTERED ACCOUNTANTS OF INDIA

Summarized by – YOGESH JOSHI

[email protected]

mailto:[email protected]

Summary of Standards on Internal Auditing (SIA) from ICAI Page 2 of 29

Preface to the standards of Internal Audit

The Institute of Chartered Accountants of India constituted the "Committee for

Internal Audit (CIA)" on 5th February 2004.

The Standards on Internal Audit shall apply whenever an internal audit is carried

out.

SIAs will be mandatory from the respective date(s) mentioned in the SIA(s).

However, any limitation in the applicability of a specific Standard shall be made

clear in the Standard.

Members will be expected to follow SIAs in the internal audits commencing on or

after the date(s) specified in the Standard.

Framework for the Standards of Internal Audit

Definition of Internal Audit as per the framework

Internal audit is an independent management function, which involves a

continuous and critical appraisal of the functioning of an entity with a view

to suggest improvements thereto and add value to and strengthen the overall

governance mechanism of the entity, including the entity's strategic risk

management and internal control system."

Authority


The first three components of the Framework for Standards on Internal Audit viz.,

the Code of Conduct, the Competence Framework and the Body of Standards shall

be mandatory.

******


Standard on Internal Audit (SIA) 1

Planning an Internal Audit

The internal auditor should, in consultation with those charged with

governance, including the audit committee, develop and document a plan for

each internal audit engagement to help him conduct the engagement in an

efficient and timely manner.

Requirement of Plan:

The internal audit plan should be comprehensive enough to ensure that it helps in

achieving of the above overall objectives of an internal audit.

Thus, According to the standard, The internal audit plan should be-

Consistent with the goals and objectives of the internal audit function.

Consistent with goals and objectives of the organisation.

Should outline the scope of internal audit as well as the duties,

responsibilities and powers of the internal auditor(s).

In case the entire internal audit has been outsourced, the internal auditor

should also ensure that the plan is consistent with the terms of the

engagement.

Should be continuously reviewed by the internal auditor to identify any

modifications required.


Steps in Planning Process:

o Obtaining Knowledge of the Business

o Establishing the Audit Universe

o Establishing the Objectives of the Engagement

o Establishing the Scope of the Engagement

The scope of the engagement should be –

Sufficient in coverage so as to meet the objectives of the engagement.

The internal auditor should consider the information gathered during the

preliminary review stage to determine the scope of his audit procedures.

Documented comprehensively to avoid misunderstanding on the areas covered

for audit.

o Deciding the Resource Allocation

o Preparation of Audit Program

The standard further specifies that –

Though the form and content of the audit program and the extent of its details

would vary with the circumstances of each case, yet the internal audit program

should be so designed as to achieve the objectives of the engagement and also

provide assurance that the internal audit is carried out in accordance with the

Standards on Internal Audit.

*******



Basic Principles Governing Internal Audit

Applicability:

In terms of the decision of the Council of the Institute of Chartered Accountants of

India taken at its 260th meeting held in June, 2006, the following Standard on

Internal Audit shall be recommendatory in nature in the initial period. The Standard

shall become mandatory from such date as notified by the Council.

The standard specifies following principles governing the internal audit. These are

very similar to the principles specified in normal auditing standard of the institute.

Integrity, Objectivity and Independence

The internal auditor should be straightforward, honest and sincere in his

approach to his professional work.

He must be fair and must not allow prejudice or bias to override his

objectivity.

He should maintain an impartial attitude. He should not only be independent in

fact but also appear to be independent.

The internal auditor should not, therefore, to the extent possible, undertake

activities, which are or might appear to be incompatible with his independence

and objectivity.

Confidentiality

The internal auditor should maintain the confidentiality of the information acquired in

the course of his work and should not disclose any such information to a third party,

including the employees of the entity, without the specific authority of the

management/client or unless there is a legal or a professional responsibility to do so.

Due Professional Care, Skills and Competence


The internal auditor should exercise due professional care, competence and diligence

expected of him while carrying out the internal audit.

Work Performed by Others

Documentation

The internal auditor should document matters, which are important in

providing evidence that the audit was carried out in accordance with the

Standards on Internal Audit and support his findings or the report submitted.

Internal control and risk management systems

While the management is responsible for establishment and maintenance of

appropriate internal control and risk management systems, the role of the internal

auditor is to suggest improvements to those systems. For this purpose, the internal

auditor should:

(i) Obtain an understanding of the risk management and internal control framework

established and implemented by the management.

(ii) Perform steps for assessing the adequacy of the framework developed in relation

to the organisational set up and structure.

(iii) Review the adequacy of the framework.

(iv) Perform risk based audits on the basis of risk assessment process.

It is important to note that the standard has specified the subject of risk management

as a consideration for auditors. It is required for the auditor to understand, assess,

review and comment on risk management. It is also important for the auditors to

conduct the audit based on the risk assessment approach.

*******



Documentation

Applicability:

In terms of the decision of the Council of the Institute of Chartered Accountants of

India taken at its 2601 meeting held in June, 2006, the following Standard on

Internal Audit shall be recommendatory in nature in the initial period. The Standard

shall become mandatory from such date as notified by the Council.

The Documentation standard requires that –

The internal auditor should document matters, which are important in

providing evidence that the audit was carried out in accordance with the

Standards on Internal Audit and support his findings or the report submitted by

him.

Internal audit documentation may be recorded on paper or on electronic or other

media.

It includes, for example, audit programmes, analyses, issues memoranda,

summaries of significant matters, letters of confirmation and representation,

checklists, and correspondence (including e mail) concerning significant matters.

Abstracts or copies of the entity's records, for example, significant and specific

contracts and agreements, may be included as part of internal audit

documentation, if considered appropriate.

Internal audit documentation, however, is not a substitute for the entity's

accounting records. The internal audit documentation for a specific internal audit

engagement is assembled in an audit file.


Internal audit documentation should record the internal audit charter, the internal

audit plan, the nature, timing and extent of audit procedures performed, and the

conclusions drawn from the evidence obtained.

Internal audit documentation should be designed and properly organised to meet

the requirements and circumstances of each audit and the internal auditor's needs

in respect thereof. The internal auditor should formulate policies that help in

standardisation of the internal audit documentation.

Internal audit documentation should be sufficiently complete and detailed for

an internal auditor to obtain an overall understanding of the audit.

The extent of documentation is a matter of professional judgment since it is

neither practical nor possible to document every observation, finding or conclusion

in the internal audit documentation.

All the significant matters which require exercise of judgment, together with

the internal auditor's conclusion thereon should be included in the internal

audit documentation.

The documentation should be sufficient to be relied as evidence for

authenticating-

(a) the nature, timing and extent of the audit procedures performed to comply

with SIAs and applicable legal and regulatory requirements;

(b) the results of the audit procedures and the audit evidence obtained;

(c) significant matters arising during the audit and the conclusions reached

thereon;

(d) terms and conditions of an internal audit engagement/requirements of the

internal audit charter, scope of work, reporting requirements, any other special

conditions, affecting the internal audit.


The form, extent and contents of the documentation would also be affected by

the nature and terms of the engagement, and any statutory or regulatory

requirements in that regard.

It is, however, neither necessary nor practicable to document every matter the

auditor considers during the audit.

The standard also specifies that the Identification of the Preparer and

Reviewer should be documented for the working papers along with the source

and cross referencing for documents.

The preparers and reviewers of the internal audit documentation should also sign

them.

The internal audit file should be assembled within sixty days after the signing

of the internal audit report. Assembly of the internal audit documentation file is

only an administrative process and does not involve performance of any new audit

procedures or formulation of new conclusions.

If Audit working papers are required to be changed later on, then the internal

auditor should document the details of circumstances and all the necessary

additional documentation.

Document Retention and Access:

The internal auditor should formulate policies as to the custody and retention of

the internal audit documentation within the framework of the overall policy of the

entity in relation to the retention of documents. The internal auditor retains the

ownership of the internal audit documentation.


After the assembly of the audit file, the internal auditor should not delete or

discard internal audit documentation before the end of the retention period.

*******



Reporting

The internal auditor should review and assess the analysis drawn from the internal

audit evidence obtained as the basis for his conclusion on the efficiency and

effectiveness of systems, processes and controls including items of financial

statements.

The internal auditor's report should contain a clear written expression of

significant observations, suggestions/ recommendations based on the policies,

processes, risks, controls and transaction processing taken as a whole and

managements' responses:

Title;

Addressee;

Report Distribution List;

Period of coverage of the Report;

Opening or introductory paragraph:

identification of the processes/functions and items of financial statements

audited; and

A statement of the responsibility of the entity's management and the

responsibility of the internal auditor.

Objectives paragraph statement of the objectives and scope of the internal

audit engagement;

Scope paragraph (describing the nature of an internal audit):

o a reference to the generally accepted audit procedures in India, as

applicable;


o a description of the engagement background and die methodology of the

internal audit together with procedures performed by the internal

auditor; and

o A description of the population and the sampling technique used.

Executive Summary, highlighting the key material issues, observations, control

weaknesses and exceptions;

Observations, findings and recommendations made by the internal auditor;

Comments from the local management;

Action Taken Report Action taken/ not taken pursuant to the observations

made in the previous internal audit reports;

Date of the report;

Place of signature; and

Internal auditor's signature with Membership Number.

The internal auditor's report, in line with the terms of the engagement, should

describe the internal audit as including:

A. Examining, on a test basis, evidence to support the amounts and disclosures

in financial statements;

B. Assessing the strength, design and operating effectiveness of internal

controls at process level and identifying areas of control weakness, business

risks and vulnerability in the system and procedures adopted by the entity;

C. Assessing the accounting principles and estimates used in the preparation of

the financial statements; and


D. Evaluating the overall entity-wide risk management and governance

framework.

The Report should include a description of the engagement background,

internal audit methodology used and procedures performed by the internal

auditor mentioning further that the internal audit provides a reasonable basis

for his comments.

Comments from Local Management

The Comments from Local Management Paragraph should contain the observations

and comments from the local management of the entity provided after giving due

cognizance to the internal auditor's comments.

The report should be signed by the internal auditor in his personal name. The

internal auditor should also mention the membership number assigned by the

Institute of Chartered Accountants of India in the report so issued by him.

The internal auditor should discuss the draft with the entity's management prior to

issuing the final report. The different stages of communication and discussion

should be as under:

Discussion Draft –

Exit Meeting –

Formal Draft –

Final Report –

Limitation on Scope

When there is a limitation on the scope of the internal auditor's work, the internal

auditor's report should describe the limitation.

*******



Sampling

When using either statistical or non statistical sampling methods, the internal

auditor should design and select an audit sample, perform audit procedures

thereon, and evaluate sample results so as to provide sufficient appropriate audit

evidence to meet the objectives of the internal audit engagement unless

otherwise specified by the client.

"Audit sampling" means the application of audit procedures to less than 100% of

the items within an account balance or class of transactions to enable the

internal auditor to obtain and evaluate audit evidence about some

characteristic of the items selected in order to form a conclusion concerning

the population.

"Sampling risk", means the risk that from the possibility that the internal auditor's

conclusions, based on examination of a sample may be different from the

conclusion reached if the entire population was subjected to the same types of

internal audit procedure. The two types of sampling risk are --

The risk that the internal auditor concludes that controls are more effective

than they actually are, or that a material error or misstatement does not exist

when in fact it does.

The risk that the internal auditor concludes that controls are less effective

than they actually are, or that a material error or misstatement exists when in

fact it does not.


Sampling risk can be reduced by increasing sample size for both tests of

controls and tests of details. Non-sampling risk can be reduced by proper

engagement planning, supervision, monitoring and review.

Stratification

To assist in the efficient and effective design of the sample, stratification may be

appropriate.

Statistical and Non Statistical Approaches

When applying statistical sampling, sample size may be ascertained using either

probability theory or professional judgment.

Tolerable Error

Tolerable error is the maximum error in the population that the internal auditor

would be willing to accept and still concludes that the result from the sample has

achieved the objective(s) of the internal audit.

Expected Error

If the internal auditor expects error to be present in the population, a larger

sample than when no error is expected ordinarily needs to be examined to

conclude that the actual error in the population is not greater than the planned

tolerable error.

Selection of the Sample

The internal auditor should select sample items in such a way that that sample

can be expected to be representative of the population. This requires that all

items or sampling units in the population have an opportunity, of being

selected.


While there are a number of selection methods, three methods commonly used are

-

o Random selection and use of CAATs

o Systematic selection

o Haphazard selection

Further steps in the Sampling for the Auditor include –

Analysis of Errors in the Sample

Documentation

*******



Analytical Procedures

The internal auditor should apply analytical procedures as the risk assessment

procedures at the planning and overall review stages of the internal audit.

Analytical procedures include the consideration of comparisons of the entity's

financial and non financial information with, for example:

o Comparable information for prior periods.

o Anticipated results of the entity, such as budgets or forecasts.

o Predictive estimates prepared by the internal auditor.

o Similar industry information such as a comparison of the entity's ratios

with industry averages.

o Analytical procedures also include consideration of relationships.

Various methods may be used in performing the above procedures. These range

from simple comparisons to complex analyses using advanced statistical

techniques.

Analytical procedures may be applied to consolidated financial statements,

financial statements of components (such as subsidiaries, divisions or segments)

and individual elements of financial information and relevant non financial

information.

The internal auditor's choice of procedures, methods and level of application is a

matter of professional judgment.


Specific analytical procedures include, but are not limited to ratio, trend, and

regression analysis, reasonableness tests, period to period comparisons,

comparisons with budgets, forecasts, and external economic information.

Analytical procedures may identify, among other things, differences that are not

expected or absence of differences when they are expected, which may have

arisen on account of factors such as errors, frauds, unusual or non recurring

transaction or events, etc.

Analytical Procedures as Risk Assessment Procedures and in Planning the

Internal Audit:

The internal auditor should apply analytical procedures as risk assessment

procedures to obtain an understanding of the business, the entity and its

environment and in identifying areas of potential risk. Application of analytical

procedures may indicate aspects of the business of which the internal auditor was

unaware and will assist in determining the nature, timing and extent of other

internal audit procedures.

Analytical Procedures as Substantive Procedures:

The internal auditor's reliance on substantive procedures to reduce detection risk

may be derived from tests of details, from analytical procedures, or from a

combination of both.

The decision about which procedures to use to achieve a particular internal audit

objective is based on the internal auditor's judgment about the expected

effectiveness and efficiency of the available procedures in reducing detection risk

relating to process, systems and controls.


When intending to perform analytical procedures as substantive procedures, the

internal auditor will need to consider a number of factors such as the:

o Objectives of the analytical procedures and the extent to which their

results can be relied upon.

o Nature of the business, entity and the degree to which information can

be disaggregated.

o Availability of information, both financial and non financial.

o Reliability of the information available.

o Relevance of the information available.

o Source of the information available.

o Comparability of the information available.

o Knowledge gained during previous internal audits.

o Controls over the preparation of the information.

Extent of Reliance on Analytical Procedures:

The application of analytical procedures is based on the expectation that

relationships among data exist and continue in the absence of known conditions to

the contrary.

However, reliance on the results of analytical procedures will depend on the

internal auditor's assessment of the risk that the analytical procedures may

identify relationships as expected when, in fact, a material misstatement exists.

Investigating Unusual Items or Trends

When analytical procedures identify significant fluctuations or relationships that

are inconsistent with other relevant information or that deviate from predicted


amounts, the internal auditor should investigate and obtain adequate explanations

and appropriate corroborative evidence.

Unexplained results or relationships may be indicative of a significant condition

such as a potential error, irregularity, or illegal act.

Results or relationships that are not sufficiently explained should be

communicated to the appropriate levels of management.

*******



Quality Assurance in Internal Audit

A system for assuring quality in internal audit should provide reasonable

assurance that the internal auditors comply with professional Standards,

regulatory and legal requirements, so that the reports issued by them are

appropriate in the circumstances.

In order to ensure compliance with the professional Standards, regulatory and

legal requirements, and to achieve the desired objective of the internal audit, a

per son within the organisation should be entrusted with the responsibility for the

quality in the internal audit, whether done in - house or by an external agency.

In the case of the in-house internal audit or a firm carrying out internal audit, the

person entrusted with the responsibility for the quality in internal audit should

ensure that the system of quality assurance include policies and procedures

addressing each of the following elements:

Leadership responsibilities for quality in internal audit - The person entrusted

with the responsibility for the quality in internal audit should take responsibility

for the overall quality in internal audit.

Ethical requirements - The person entrusted with the responsibility for the

quality in internal audit should establish policies and procedures designed to

provide it with reasonable assurance that the personnel comply with relevant

ethical requirements.

Acceptance and continuance of client relationship and specific engagement, as

may be applicable - The person entrusted with the responsibility for the quality in

internal audit should establish policies and procedures for the acceptances and


continuance of client relationships and specific engagements, designed to provide

reasonable assurance that it will undertake or continue relationships and

engagements.

Human resources - The person entrusted with the responsibility for the quality in

internal audit should establish policies and procedures regarding assessment of the

staff's capabilities and competence designed to provide it with reasonable

assurance that there are sufficient personnel with the capabilities, competence,

and commitment to ethical principles.

Engagement performance - The person entrusted with the responsibility for the

quality in internal audit should establish policies and procedures designed to

provide it with reasonable assurance that engagements are performed in

accordance with the applicable professional Standards and regulatory and legal

requirements and that the reports issued by the internal auditors are appropriate

in the circumstances.

Monitoring - The person entrusted with the responsibility for the quality in

internal audit should establish policies and procedures designed to provide

reasonable assurance that the policies and procedures relating to the system of

quality assurance are relevant, adequate, operating effectively and complied with

in practice.

External Quality Review

The frequency the external quality review should be based on a consideration of

the factors such as the maturity level of the internal audit activity in the entity,


results of the earlier internal audit quality reviews, feedbacks as to the usefulness

of the internal audit activity from the customers of the internal audit, etc.

Communicating Results of the External Quality Review

The external quality reviewer should discuss his findings with the person entrusted

with the responsibility for the quality in internal audit.

His final report should contain his opinion on all the parameters of the internal

audit activity, and should be submitted to the person entrusted with the

responsibility for the quality in internal audit and copies thereof be also sent to

those charged with governance.

*******



Terms of Internal Audit Engagement

The internal auditor and the auditee should agree on the terms of the

engagement before its commencement.

The terms of engagement should be approved by the Board of Directors or a

relevant Committee thereof such as the Audit Committee or such other

person(s) as may be authorised by the Board in this regard.

The following are the key elements of the terms of the internal audit engagement:

o Scope

o Responsibility

o Authority

o Confidentiality

o Limitations

o Reporting

o Compensation

o Compliance with Standards

Scope

The terms of the engagement should contain a statement in respect of the scope

of the internal audit engagement. The scope It should indicate areas where

internal auditors are expected to make their recommendations and value added

comments.

The terms of engagement should clearly mention that the internal auditor

would not, ordinarily, be involved in the preparation of the financial


statements of the auditee. It should also be made clear that the internal audit

would not result in the expression, by the internal auditor, of an opinion, or any

other form of assurance on the financial statements or any part thereof of the

auditee.

Responsibility

The terms of the engagement should clearly mention the responsibility of the

auditee vis a vis the internal auditor.

Authority

The terms of engagement should provide the internal auditor with requisite

authority, including unrestricted access to all departments, records, property and

personnel and authority to call for information. Also, the internal auditor should

have full authority on his technologies and other properties like hardware and

audit tools he may use in course of performing internal audit.

Confidentiality

Confidentiality of Working Papers

The terms of engagement should be clear that the ownership of the working

papers rests with the internal auditor and not the auditee.

The terms should lay down the policy and the procedures to be followed regarding

requests received for internal auditor's working papers from third parties including

external auditors.

The internal audit engagement may also be subject to a peer review by a

regulator, requiring the internal auditor to disclose his working papers to the peer


reviewer without the permission of the auditee. The engagement letter should

bring out this fact clearly.

Confidentiality of the Report

The engagement letter should contain a condition that the report of the internal

auditor should not be distributed or circulated by the auditee or the internal

auditor to any party other than that mutually agreed between the internal auditor

and the auditee unless there is a statutory or a regulatory requirement to do so.

Limitations

The terms of engagement should specify clearly the limitations on scope, coverage

and reporting requirement, if any.

It may also mention that the internal auditor or any of his employees shall not

be liable to the auditee for any claims, damages, liabilities or expenses relating

to the engagement exceeding the aggregate amount of compensation agreed

upon by both the parties.

Reporting

The terms of the engagement should clearly lay down the requirements as to the

manner, frequency of reporting and the list of intended recipients of the internal

audit report.

Compensation


There should be a clear understanding among the internal auditor and the client as

to the basis on which the internal auditor would be compensated, including any

out of pocket expense, taxes etc., for the services performed by him.

Compliance with Standards

The terms of the internal audit engagement should contain a statement that the

internal audit engagement would be carried out in accordance with the

professional Standards applicable to such engagement as on the date of audit.

Withdrawal from the Engagement

In case the internal auditor is unable to agree to any change in the terms of the

engagement and/ or is not permitted to continue as per the original terms, he

should withdraw from the engagement and should consider whether there is an

obligation, contractual or otherwise, to report the circumstances necessitating the

withdrawal to other parties.

*******


Summarized by – YOGESH JOSHI

[email protected]

mailto:[email protected]

ICAI SIA - Notes and Summary

Documents